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APPELLANTS' THIRD APPEAL BRIEF 

Mail Stop Appeal Brief- Patents 
Commissioner for Patents 
P.O. Box 1450, 

Alexandria, Virginia 22313-1450 
Sir: 

This is the Applicants' Brief to maintain the appeal in the present application. It is 
responsive to the new grounds of rejection set forth in the pending "Office Action", 
mailed August 25, 2008 (Paper No. 20080820). 

Regarding fees, there is a fee difference of $15.00 for filing this Brief along with 
a two month extension. Please charge deposit account 504102 for the total fees of 
$260.00. 

Real Party in Interest 

Arbor Networks, Inc. is the real party in interest. 



Related Appeals and Interferences 

There are no related appeals or interferences. 
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Status of Claims 

Claims 1-32, 34 and 35 are pending in this application. Claim 33 was cancelled. 

Claims 1-32, 34 and 35 are rejected. The rejection of claims 1-32, 34 and 35 is being 
hereby appealed. 

Status of Amendments 

All amendments have been entered. There were no post final amendments or 

proposed amendments. 

Summary of Claimed Subject Matter 

Please note that in the following discussion, reference is made to the instant 
application as published: US Pat. Publ. No. US 2005/00050 17A1. 

Claim 1 concerns a system for controlling communications over a computer 
network. See US 2005/00050 17A1 at Fig, 1 and paragraph [0034]. The system 
comprises: 

access control devices for the computer network that control communications 
between compartments of the computer network, see US 2005/00050 17A1 
at Fig. 1, reference number 1 14 and paragraph [0035]; 

attack detection system for determining whether the computer network may be 
under attack, see US 2005/00050 17A1 at Fig. 1, reference number 1 12 
and paragraph [0035]; and 

a control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network 
based on a usage model describing legitimate network communications 
while restricting other network communications between the 
compartments, in response to attack, see US 2005/00050 17A1 at Fig. 1, 
reference CP and paragraph [0036]. 

Claim 21 concerns a method for responding to an attack on a computer network. 
See generally US 2005/00050 17A1 at Fig. 5. The method comprises: 
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generating a usage model for the computer network, see US 2005/00050 17A1 
at Fig. 3 reference 320 and paragraph [0067]; 

determining whether the computer network may be under attack, see US 
2005/00050 17A1 at Fig. 4A and 4B and paragraph [0072]; 

in response to detecting attack, determining characteristics of the attack, see 
US 2005/00050 17A1 at Fig. 4A reference 418 and paragraph [0080]; and 

generating instructions to access control devices compartmentalizing the 

computer network in response to the characteristics of the attack, wherein 
the step of generating instructions to the access control devices comprises 
formulating pass and/or blocking rules for the access control devices in 
response to protocol characteristics and/or port characteristic of the attack, 
see US 2005/000501 7A1 at Fig. 5 reference 524 and paragraphs [0105] 
and [114]-[117]; 

issuing the instructions to the access control device which then 

compartmentalize the computer network by implementing the pass and/or 
blocking rules, see US 2005/00050 17A1 at Fig. 5 reference 530 and 
paragraphs [125]-[131]. 

Claim 35 concerns a system for controlling communications over a computer 
network. See US 2005/0005017A1 at Fig. 1 and paragraph [0034]. The system 
comprises: 

access control devices for the computer network that control communications 
between compartments of the computer network, see US 2005/00050 17A1 
at Fig. 1, reference number 1 14 and paragraph [0035]; 

attack detection system for determining whether the computer network may be 
under attack, see US 2005/00050 17A1 at Fig. 1, reference number 1 12 
and paragraph [0035]; and 

a control plane for instructing the access control devices to only allow network 
communications between the host computers in different compartments of 
the computer network based on a usage model describing legitimate 
network communications while restricting all other network 
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communications between the host computers, in response to attack, 
US 2005/00050 17A1 at Fig. 1, reference CP and paragraph [0036]. 
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Grounds of Rejection to be Reviewed on Appeal 

These are the new grounds of rejection set forth in the pending Office 

Action/Examiner's Answer: 

Issue: 1 Whether 1-10, 12, 17, and 35 are anticipated under 102(b) over 
Lermuzeaux (U.S. Patent No. 5,621,889), 

Issue: 2. Whether claims 11,16, 19-23, 25-31 and 34 are unpatentable under 35 
U.S.C. 103(a) over Lermuzeaux in further in view of Yadav (US PgPub 2003/0149888). 

Issue: 3. Whether claims 13, 14, and 18 are unpatentable under 35 U.S.C. 103(a) 
over Lermuzeaux as applied above, in further in view of Copeland (US PgPub 
2002/0144156). 

Issue: 4. Whether claim 15 is unpatentable under 35 U.S.C. 103(a) over 
Lermuzeaux in view of Copeland and further in view of Day (US Patent 7,017,186). 

Issue: 5. Whether claims 24 and 32 are unpatentable under 35 U.S.C. 103(a) over 
Lermuzeaux in view of Yadav as applied above, and further in view of Copeland. 

Argument 

With regard to Issue I on Appeal. Applicants argue as follows: 
Embodiments of the present invention are directed to protecting a 

communications network, such a computer network, from attack, such as from self- 
propagating code or other breaches to security policies. The network is divided into 
"compartments" that are separated by access control devices, such as firewalls. The , 
access control devices are then used to stop security breaches such as the spread of self- 
propagating attack code, the "zero-day" worms, for example. However, the access 
control devices are configured, such that upon activation, legitimate network services will 
not be jeopardized. 

The invention capitalizes on the insight that much of the problem with zero-day 
worms and other attacks originates from network resources that are not in normal use. By 
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blocking traffic that is atypical for a particular network (for instance: database 
connections between two desktop systems that never normally speak a database protocol) 
the system is able to generate blocking actions that stifle the majority of attacks. On the 
other hand, the system is much less likely to disrupt business processes, since access 
control devices will still permit network communications that exhibit behavior that are 
characteristic of normal communication patterns on the network, Le., behavior 
characterized by pass rules that are also deployed to the access control devices. 

The system described in the Lermuzeaux has some similarities to the system of 
the instant application. Lermuzeaux describes, for example, modeling behavior. 
Nevertheless, what the system of Lermuzeaux lacks is something akin to the claimed: 1) 
multiple access control devices compartmentalizing the network; and 2) a control plane, 
which instructs the access control devices to allow network communications between the 
compartments of the computer network based on a usage model describing legitimate 
network communications. 

-Independent claims 1 and 35 

It is well established that a claim is anticipated under 35 U.S.C. §102, only if each 
and every element of the claim is found in a single prior art reference. Veregal Bros, v 
Union Oil Co. of California, 814 F.2d 628, 631,2USPQ2d 1051, 1053 (Fed. Cir. 1987). 
Here, the independent claims contain two features that are not shown by Lermuzeaux, 
thus necessitating withdrawal of the rejection. 

First, each of the independent claims requires access control devices that control 
communications between compartments of the computer network, claim 1, and access 
control devices to only allow network communications between the host computers in 
different compartments of the computer network, claim 35. 

The pending Office Action argues that this feature is taught by Lermuzeaux, 
Applicants respectfully disagree. Generally, Lermuzeaux takes an approach that is 
consistent with many of the systems in this art. It focuses on preventing intrusions into 
the computers. See Lermuzeaux title: Facility for Detecting Intruders and Suspect 
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Callers in a Computer Installation and a Security System Including such a Facility. 
Certainly column 6, lines 38-40, of Lermuzeaux, which were cited for disclosing this 
claimed feature, only discuss intrusion protection: 

The effectors 6 arc processes or other agents enabling 
restraining measures lo be irnplemenied for countering 
40 attempts at intrusion, they are embedded in the software of 
the machine 2 to which they are allocated, in the embodi- 

Thus, Lermuzeaux does not teach access control devices deployed to 
compartmentalize a network. 

Instead, Lermuzeaux teaches a different approach. It appears that in the 
Lermuzeaux system the software of the "Facility for Detecting Intruders" is installed on 
each client within the network. Supporting this interpretation is the following portion of 
column 6 of Lermuzeaux: 

Abnormal computer actions are detected from data sup- 
10 plied by sensors 5 allocated to each machine 2 in the 
computer installation. The sensors 5 are embedded in the 
software of the machine 2 to which they are allocated, and 
in particular in the operating system thereof, given reference . 
2 A herein, in its basic sofuvare 2B, in its application 
15 software 2C, and in its application interface 2D. 

Thus, the claimed network compartmentalization is very different from the 
approach of Lermuzeaux, which tries to prevent intrusion at the level of the computers on 
the network. 

In short, there is nothing to support the assertion that the use of multiple access 
control devices to compartmentalize the network is taught by Lermuzeaux. 

Moreover, this theme of compartmentalization has been consistently described as 
an important feature of the present invention as expressed in paragraph [0012] of US 
2005/000501 7A1: 



7 of 21 



26 January 2009 
Application No.: 10/684,964 
Docket No.: 0016.0011 



[0012] The prcscni invcniion isdirecicd lo a icchnk|iic for 
prolccling a communications network, such a computer 
network, trom aUack, such as from scU-propagaiing cixle or 
oihor breaches lo security policies. The network is divided 
into "compartments" that are separated by access control 
devices, such as firewalls. The access control devices are 
then used lo stop the scciiriiy breach such as the spread of 
self-propagating atllack code, the ''zero-day" worms, for 
example. However, Ihe access conirol devices are conlig- 

Thus, for this reason the present claimed invention is distinguishable over the 
applied reference. 

The present claimed invention is also distinguishable for having a usage model 
defining communications that are allowed by the access control device while restricting 
other communications during an attack. Specifically claim 1 requires: "a control plane 
for instructing the access control devices to allow network communications between the 
compartments of the computer network based on a usage model describing legitimate 
network communications while restricting other network communications between the 
compartments, in response to attack"; and claim 35 requires "a control plane for 
instructing the access control devices to only allow network communications between the 
host computers in different compartments of the computer network based on a usage 
model describing legitimate network communications while restricting all other network 
communications between the host computers". 

In short, the present claimed invention responds to an attack by causing access 
control devices, such as firewalls, to allow communications during an attack, not simply 
block certain communications. This distinguishes the invention from the applied 
reference. 

Column 13, lines 3-13 of Lermuzeaux were cited for disclosing this claimed 
attack response: 



8 of 21 



26 January 2009 
Application No.: 10/684,964 
Docket No.: 0016.0011 



performed to check the profile of an entity, 'I'he measure- 
ments corresponding to its characteristics are performed on 
the behavior and they are compared with the values recorded 5 
in the archived profile. Overall conformity with the archived 
profile is evaluated, for example, on the basis of correspon- 
dences for individual measurements, with an anomaly being 
indicated if conformity is considered as being poor. 

To this end, the profile checker 127 uses the target model 
data base 14 and the behavior image fact base 17. together 
with a profile data base 20. It co-operates with the abstractor 
110 and with the behavior investigator 112. More particu- 
larly, it informs the suspicion and reaction manager 13. 

This portion of Lermuzeaux fails to mention compartmentalization or allowing certain 
communications between compartments in response to attack. Instead, this portion 
merely discusses how measurements are compared to established profiles. 

The problem with this Lermuzeaux approach is that it cannot guarantee that the 
critical communications required to be carried by the network will continue to take place. 
As described in the example of paragraph [001 1] of present application US 
2005/00050 17A1: 

[OOll] The problem wilh the cxisiing sysiems for defend- 
ing agairiwSt attacks such as from worms is that there is no 
mechanism for assuring that blocking actions taken by the 
fircwalbs will not block scr\'ice^i that are in legitimate use on 
the network. ITaus, an insiiluiion choosing 10 deploy these 
systems rniisi make tradeofe between a robtisr defense 
against attack and presenting legitimate network communi- 
cations in the event of an actual or suspected attack. Con- 
sequently, some insiiiutions that have mission-critical com- 
munications over their networks will make compromises in 
the eQectivencss of the defense that is mounted against an 
attack in order to ensure that these important communica- 
tions are not impacted by the allack response. 

To address this problem, the claimed invention requires specific functionality: 
allowing communications between network compartments based on a usage model. This 
is neither shown nor suggested by the applied reference. Moreover, this difference 
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provides clear performance advantages by ensuring that mission-critical communications 
would not be blocked in an attack, 

-Dependent claims 2-4 

Claim 2 describes that the network that is compartmentalized is an enterprise 
network or service provider or public network. Thus, these claims further highlight the 
distinction drawn previously concerning the lack of teaching of network 
compartmentalization in the applied reference. 

The applied reference does not teach compartmentalization of this specific type of 
network. The pending Office Action asserts to the contrary, citing column 1, lines 26-30 
of Lermuzeaux: 

Numerous present-day computer installaLions, be they 
provided with cenlralized processor units or be they orga- 
nized in networks interconnecting geographically distrib- 
uted processor units, have various access points for serving 
their users. The number of such points and the ease v^ith 30 

This portion does not mention the enterprise network, however. 

With respect to the rejection of claims 3 and 4, here the Office Action admits that 
the subject matter of the claims is not taught but argues that it would have been an 
obvious modification: 
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5. Referring to claim 3, Lermuzeaux discloses a system as claimed in claim 1, but 
does not explicitly disclose wherein the computer network is a service provider network. 
The Examiner argues that the method of network profiling could be used on any 
network concerned with monitoring communications, moreover, nothing in Lermuzeaux 
precludes the method from being embodied tn a service provider network, thus this 

would have. been an obvious modification over Lemnuzeaux, as would have been readily 
apparent to one of ordinary skill In the art. 

6. Referring to claim 4, Lermuzeaux discloses a system as claimed in claim 1. but 
does not explicitly disclose wherein the computer network is a public network. The 
Examiner argues that the method of network profiling could be used on any network 
concerned with monitoring communications, moreover, nothing in Lermuzeaux 

precludes the method from being embodied in a public network, thus this would have 
been an obvious modification over Lermuzeaux, as would have been readily apparent to 
one of ordinary skill in the art. 

However, the rejection is based on anticipation. So what is obvious or not is 
without relevance. 

Thus, the rejections of these claims should also be withdrawn. 

With regard to Issue 2 on Appeal. Applicants argue as follows : 
The Examiner bears the initial burden of establishing a prima facie case. In re 

Oetiker, 977 F.2d 1443, 1445 (Fed. Cir. 1992), To establish a prima facie case of 

obviousness, all the claim features must be taught by the prior art. In re Royka, 490 F.2d 

981, 985 (CCPA 1974). If examination at the initial stage does not produce a prima facie 

case of unpatentability, then without more the applicant is entitled to a grant of the patent. 

Oetiker, 977 F.2d at 1445. 

Independent claim 21 requires control devices compartmentalizing the computer 
network in response to the characteristics of the attack. 
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As described above, Lermuzeaux fails to mention compartmentalization or 
allowing certain communications between compartments in response to attack. These 
features are similarly not described in Yadav. Thus, there is no prima facie obviousness. 

-Dependent claims 20 and 34 

Dependent claims 20 and 34 specify how the blocking rules are generated in 
contrast to how the pass rules are generated. In more detail, claim 20 requires that "the 
pass rules are generated from the usage model and the blocking rules are generated from 
the protocol information and/or port information characteristic of the attack." 

Nothing in the applied references suggests this way of generating pass rules as 
opposed to blocking rules. Neither of the references teaches the notion of using "pass 
rules" as claimed. And certainly, neither of the applied references teaches how such rules 
should be generated. 

With regard to Issue 3 on Appeal Applicants argue as follows : 
This rejection is traversed for the reasons presented above with respect to the 

independent claims since the secondary references fail to provide the teaching missing 

from Lermuzeaux. 

With regard to Issue 4 on Appeal Applicants argue as follows : 
This rejection is traversed for the reasons presented above with respect to the 

independent claims since the secondary references fail to provide the teaching missing 

from Lermuzeaux. 

With regard to Issue 5 on Appeal Applicants argue as follows : 
This rejection is traversed for the reasons presented above with respect to the 

independent claims since the secondary references fail to provide the teaching missing 

from Lermuzeaux. 
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Conclusion 

For the foregoing reasons, Applicants believe tiiat the pending rejections should 
be withdrawn, and that the present application should be passed to issue. Should any 
questions arise, please contact the undersigned. 

Respectfully submitted, 
Houston Eliseeva LLP 



By /grant houston/ 
J. Grant Houston 
Registration No,: 35,900 
4 Militia Drive, Ste 4 
Lexington, MA 02421 
Tel.: 781-863-9991 
Fax: 781-863-9931 



Date: January 26, 2009 
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Claims Appendix 

1. (Previously presented) A system for controlling communications over a 
computer network, the system comprising: 

access control devices for the computer network that control communications 

between compartments of the computer network; 
attack detection system for determining whether the computer network may be 

under attack; and 

a control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network 
based on a usage model describing legitimate network communications 
while restricting other network communications between the 
compartments, in response to attack. 

2. (Original) A system as claimed in claim 1, wherein the computer network is 
an enterprise network. 

3. (Original) A system as claimed in claim 1, wherein the computer network is a 
service provider network. 

4. (Original) A system as claimed in claim 1, wherein the computer network is a 
public network. 

5. (Original) A system as claimed in claim 1, wherein the access control devices 
compartmentalize the computer network into separate sub-networks of network 
devices. 

6. (Original) A system as claimed in claim 1, wherein the access control devices 
separate host computers from the computer network. 

7. (Original) A system as claimed in claim 1, further comprising a network 
modeling system for generating the usage model. 
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8. (Original) A system as claimed in claim 7, wherein the network modeling 
system receives flow information describing communications between network 
devices. 

9. (Original) A system as claimed in claim 8, wherein the flow information is 
collected by network communications devices. 

10. (Original) A system as claimed in claim 8, wherein the flow information is 
collected by the access control devices. 

11. (Original) A system as claimed in claim 8, wherein the network modeling 
system discards flow information between network devices in the computer 
network and network devices external to the computer network. 

12. (Original) A system as claimed in claim 7, wherein the network modeling 
system compares new network communications to the usage model and updates 
the usage model if the new network communications are not described by the 
usage model. 

13. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications. 

14. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications in addition to time 
stamp information indicating when the network communication was last detected. 

15. (Original) A system as claimed in claim 1, wherein entries in the usage 

model comprise source addresses, destination addresses, source ports, and 
♦ 

destination ports derived from the network communications in addition to 
frequency information indicating a frequency of the network communication. 
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16. (Original) A system as claimed in claim 1, wherein the attack detection 
system monitors communications over the computer network for attack using 
signature detection. 

17. (Original) A system as claimed in claim 1, wherein the attack detection 
system performs heuristic modeling to determine whether the computer network 
is under attack. 

18. (Original) A system as claimed in claim 1, wherein the attack detection 
system monitors communications over the computer network for attack by 
monitoring changes in connections between network devices. 

19. (Original) A system as claimed in claim 1, wherein the control plane receives 
protocol information and/or port information characteristic of the attack and 
generates pass and/or blocking rules for the access control devices. 

20. (Original) A system as claimed in claim 1, wherein the control plane receives 
protocol information and/or port information characteristic of the attack and 
generates pass rules and blocking rules for the access control devices, in which 
the pass rules are generated from the usage model and the blocking rules are 
generated from the protocol information and/or port information characteristic of 
the attack. 

21. (Previously presented) A method for responding to an attack on a computer 
network, the method comprising: 

generating a usage model for the computer network; 

determining whether the computer network may be under attack; 

in response to detecting attack, determining characteristics of the attack; and 

generating instructions to access control devices compartmentalizing the 

computer network in response to the characteristics of the attack, wherein 
the step of generating instructions to the access control devices comprises 
formulating pass and/or blocking rules for the access control devices in 
response to protocol characteristics and/or port characteristic of the attack; 
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issuing the instructions to the access control device which then 

compartmentalize the computer network by implementing the pass and/or 
blocking rules. 

22. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records describing network communications to 
and from network devices on the computer network. 

23. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records describing network communications 
between network devices on the computer network. 

24. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records that include port, protocol, source 
address and destination address of network communications to and from network 
devices on the computer network, 

25. (Original) A method as claimed in claim 21, further comprising the step of 
the access control device compartmentalizing the computer network into separate 
sub-networks of network devices. 

26. (Original) A method as claimed in claim 21, further comprising the step of 
the access control device compartmentalizing the computer network by separating 
host computers from the computer network. 

27. (Original) A method as claimed in claim 21, wherein the step of generating a 
usage model comprises: 

collecting flow information at network communications devices; and 
passing the flow information to a network modeling system. 

28. (Original) A method as claimed in claim 27, wherein the step of collecting 
flow information is performed by the access control devices. 



17 of 21 



26 January 2009 
Application No,: 10/684,964 
Docket No.: 0016.0011 

29. (Original) A method as claimed in claim 21, wherein the step of generating a 
usage model comprises comparing network communications to the usage model 
and updating the usage model if the network communications are not described by 
the usage model. 

30. (Original) A method as claimed in claim 21, wherein the step of determining 
whether the computer network may be under attack comprises monitoring 
network communications for attack signatures. 

31. (Original) A method as claimed in claim 21, wherein the step of determining 
whether the computer network may be under attack comprises performing 
heuristic modeling to determine whether the computer network is under attack. 

32. (Original) A method as claimed in claim 21, wherein the step of determining 
whether the computer network may be under attack comprises monitoring 
changes in connections between network devices. 

33. (Cancelled) 

34. (Previously presented) A method as claimed in claim 21, wherein the step of 
generating instructions to the access control devices comprises generating pass 
rules and blocking rules for the access control devices, in which the pass rules are 
generated from the usage model and the blocking rules are generated from 
protocol and/or port characteristics of the attack. 

35. (Previously presented) A system for controlling communications over a 
computer network, the system comprising: 

access control devices for the computer network that control communications 

between compartments of the computer network; 
attack detection system for determining whether the computer network may be 

under attack; and 

a control plane for instructing the access control devices to only allow network 
communications between the host computers in different compartments of 
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the computer network based on a usage model describing legitimate 
network communications while restricting all other network 
communications between the host computers, in response to attack. 
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Evidence Appendix 



None 
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Related Proceedings Appendix 
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